From the FTC:
The Federal Trade Commission has finalized a proposed settlement that it announced in June 2010 with social networking site Twitter, which resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.
The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private.
The FTC’s complaint alleged that between January and May of 2009, hackers were able to gain administrative control of Twitter on two occasions.
Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.
The Commission vote to accept the settlement as final was 5-0.
NOTE: A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
A copy of the complaint and other documents on the case are linked from the FTC’s site.